Applies to:
- Platform: Risk Assessment Platform
- User Roles: Super Admin, Company Admin, Users with permissions
This feature allows Company Admin users to configure these company-wide settings:
- Authentication - configure and enable/disable Single Sign-On.
- Workflow - enable/disable reopening risk factors when their mapped controls' rating changes.
View Company Settings
Users with appropriate permissions can access this page from Settings > Company Settings.
Workflow - Risk Factor Reopen
This feature allows control over the reopening of risk factors when their mapped control's rating changes. This setting is company-wide.
By default, the platform will reopen risk factors when the rating of their mapped controls changes. When risk factors are automatically reopened this way, their status is changed to Awaiting Submit and sent to the Assignee defined on the risk factor.
To stop the automatic reopening of risk factors, select "Do not reopen".
Authentication Management
This feature allows the configuration of an alternative to the application's user authentication method at the company level. Typically, this involves enabling SSO authentication at the company level.
Note for users of locally installed instances (on-prem) of the platform:
- When SSO is the default authentication, this feature allows the configuration of application authentication (email and password stored in the application) at the company level.
- When application authentication (email and password) is the default authentication, this feature allows the configuration of SSO authentication at the company level.
To configure the Authentication settings, you must have the Company Admin role or another role with the Configure Company Authentication permission. Learn more about Application Role Management.
The login URL for an account with SSO authentication contains an account-specific prefix. For example, the standard login URL https://app.risk-platform.com becomes https://mycompany.risk-platform.com.
This topic contains:
- Configuring Authentication for SSO for your account
- Removing or Disabling SSO Authentication
- Common Mistakes and Solutions
Configuring Authentication for SSO for your account
There are two parts to the configuration of SSO:
- Configuring the Azure Active Directory (for the IT/Infrastructure team)
- Configuring the Risk Assessment Platform (for the Company Admin of the account)
Complete the technical requirements before configuring SSO in the Risk Assessment platform.
Technical Requirements in Azure Active Directory
Microsoft Azure Active Directory OpenID is supported.
The login account email (username) must match the Azure Active Directory (AAD) account username. If it does not match, attempting to log in will fail after enabling SSO on the platform.
Important! Users cannot log in after SSO is enabled if the usernames do not match.
Define AAD Application Registration and Authentication
- Navigate to Azure > Azure Active Directory > App Registrations > New Registration
- Complete the details as follows
- Enter a name for the application, as shown
- Select an account type
- Enter the platform URL (https://app.risk-platform.com) into Redirect URI, replacing "app" with a vanity URL prefix representing your company; the prefix must be unique to you.
Example: https://mycompany.risk-platform.com or https://myco.risk-platform.com
- Once registered, you will be redirected to the app registration configuration page.
- Navigate to Authentication > Web and populate the Web Redirect URIs as shown below, making sure to replace "app" with the vanity URL prefix used in Step 2 above. For example:
- https://mycompany.risk-platform.com
- https://mycompany.risk-platform.com/silent-renew.html
-
https://mycompany.risk-platform.com/test.html
- Navigate to Authentication and scroll down to Implicit Grant and Hybrid Flows. Enable the ID Tokens setting and press Save.
- Navigate to Expose an API > Scopes Defined by this API > Add a Scope. Accept the default Application ID URI and press Continue.
- Complete the fields as shown below, substituting appropriate values:
Collect AAD Data for configuring the Risk Assessment Platform (RAP)
- Navigate to App Registration > Overview and note the Application (client) ID.
-
Navigate to App Registration > Overview > Endpoints and note the OAuth 2.0 authorisation endpoint (v2).
-
Provide the following details to the Risk Assessment Platform (RAP) account admin:
- The Redirect URI (see Define AAD - Step 2)
- The Application (client) ID (see Collect AAD - Step 1)
- The Authority URL (see Collect AAD - Step 2), which is the OAuth endpoint with the following parts removed: "oauth" and "authorize".
For example, if the endpoint URL in AAD is:
https://login.microsoftonline.com/8ae297a6-f158-49ee-ab86-9a1883bdc4b6/oauth2/v2.0/authorize
The Authority URL would be:
https://login.microsoftonline.com/8ae297a6-f158-49ee-ab86-9a1883bdc4b6/v2.0
Configuring Authentication in the Risk Assessment Platform
Before configuring the Authentication settings, ensure:
- The technical requirements for Azure Active Directory are completed.
- You have the Redirect URI, Application ID, and Authority URL details.
- User's login account emails (usernames) match their Azure Active Directory account username.
Failure to do this will cause the IDP to fail to recognise the access request and prevent login.
Important! If the authentication or user settings are incorrect, you cannot log back in without assistance. Should this happen, contact us at support@arctic-inteligence.com or use the Support button in the lower left of the login page.
Configuring SSO Authentication
- Log into Risk Assessment with a login that has Company Admin permissions.
- Use the Settings button () and select Company Settings from the menu.
- In the Authentication section, press the Configure button to add or edit the authentication details.
- Configure each of the settings as described below:
- Method - defaults to Single Sign-On (OpenID)
- Copy from - use this field to copy authentication settings from another of your companies; otherwise, leave it blank.
-
Vanity URL Prefix - enter the prefix from the Redirect URI (see Define AAD - Step 2).
For example, if the Redirect URI is https://abx.risk-platform.com, enter "abx" as the prefix.
Important: If you enter a prefix different from the one defined by your IT team, you must inform them so they can update the Web Redirect URIs. -
Authority URL - enter the OAuth endpoint URL (see Collect AAD - Step 2), ensuring the parts noted in red are excluded; for example, if the endpoint URL in AAD is:
https://login.microsoftonline.com/8ae297a6-f158-49ee-ab86-9a1883bdc4b6/oauth2/v2.0/authorize
The Authority URL would be:
https://login.microsoftonline.com/8ae297a6-f158-49ee-ab86-9a1883bdc4b6/v2.0 - Client ID - enter the Application (client) ID (see Collect AAD - Step 1).
- Press the Save button only after you are sure all details are correct.
You will be immediately logged out of the application and must log in with valid authentication credentials per the settings you defined on this page.
To log in, all users must now use the new URL, which includes the vanity URL prefix (e.g., https://abx.risk-platform.com). This account-specific URL prompts the platform to check the defined authentication details.
Note: If the authentication settings are incorrect, you will not be able to log back in without assistance. Should this happen, contact us at support@arctic-inteligence.com or use the Support button in the lower left of the login page.
Removing or Disabling SSO Authentication
To temporarily disable the configured authentication, press the toggle at the far right of the page.
To remove the settings, press the Delete () button in the upper right to delete the configured authentication settings.
Users must log in with the email and password stored on the platform.
Common Mistakes and Solutions
User login fails with "You are not a registered user."
Problem: When a new user attempts to log in, they receive the error "You are not a registered user. Please contact us to create an account."
Cause 1: The user is logged onto their network with an email address that does not match the email address defined on their user account in RAP.
Solution 1: The user should open a browser in incognito mode and then go to the RAP login page. When prompted, log onto the network using the same email address defined on their user account in RAP.
Cause 2: The user is not in a group assigned to the application in Azure.
Solution 2: When the application is defined in Azure, a group is generally assigned to it, and users are added to the group. Alternatively, the users could be added directly, or ‘everyone’ is provided access.
This is found in Azure AD > Enterprise applications > [app name] > Users and Group.
Confirm the user is a direct member or group member and that the primary email address matches what is defined on their user account in RAP.
SSO login URL loads the login page for email and password
Problem: Going to the new SSO-enabled login URL takes the user to the email/password login page instead of logging them in automatically. The browser console shows the error (or similar):
OidcConfigService 'load' threw an error on calling https://mycompany.risk-platform.com/api/config/configuration Error: Property 'stsServer' is not present of passed config
Cause: The Vanity URL Prefix defined in the Risk Assessment Platform does not match the prefix in the web address defined in the Web Redirect URIs in Azure Active Directory.
Solution: Ensure the same prefix is defined in both locations.
Comments
0 comments
Please sign in to leave a comment.